ITS 3250 - Securing Systems

Security Strategies in Windows...
Chapters 1 and 2

This lesson presents an introduction to Windows and threats. Objectives important to this lesson:

  1. Windows and a typical infrastructure
  2. Windows threats and vulnerabilities
  3. Discovery, analysis, and remediation
  4. Common attacks

  5. Windows OS components
  6. System architecture
  7. Access controls
  8. Access rules, rights, and permissions
  9. Users and groups
  10. Attack surfaces and mitigation
  11. Security monitoring
Chapter 1

Our text begins with a sensible reason for using defense in depth, the practice of using multiple defense strategies. It is a good practice because complex systems are unlikely to be protected by one solution. You are better off with multiple defenses that won' t all be defeated by the same attack.

Chapter 1 reviews the standard computer system goal of protecting three aspects of your systems.

  • Confidentiality - information should only be accessible to users who have been granted access to it for valid reasons. Only authorized users can access data if it is protected properly, and if authorized users do not violate security policy.
  • Integrity - data may not be changed except by authorized users or processes. This means that data must be protected from alteration, deletion, or other changes to its intended form.
  • Availability - authorized users can access data when they need to do so. Availability includes the idea that proper access methods are provided to only to authorized users, not to everyone.
This makes it unanimous. Those three ideas have been featured in all three of my classes this term. In the image on the right, which I pulled from a portion of Wikipedia, I added some color to make it more attractive. I chose this one because it makes a point that the texts have not made. Each of those services depends partly on the other two. You need all three for a system to meet any of the CIA goals properly.

The text begins the first objective on page 7, We are reminded of the workstation versions of Windows since XP: XP, Vista, Windows 7, and Windows 8. The text was apparently written before Windows 10, and the author ignores Windows ME like everyone else does.

The list of server versions of Windows is similarly out of date, A more complete list of both client and server versions can be found on this Wikipedia page.

On page 10, the text begins a general discussion of Windows threats and vulnerabilities. Both terms are defined. Threats are defined as anything that could cause damage, disruption, or loss. Vulnerabilities are defined as weaknesses, in this case in the Windows operating system or associated software. Both terms should be familiar to you.

The text discusses three worms (malware programs that propagate themselves to other computers) from the early 2000s:

  • Code Red - Code Red was discovered in mid-2001. It targeted IIS servers, servers running Microsoft Internet Information Services, the default web server that comes with Windows Server editions. It had three phases:
    • Place a message on web sites on the infected machine. The default message is in the text.
    • Like any worm, attempt to spread itself to other servers. Typically, web servers pass information from one to another, so this was a reasonable plan.
    • After 20 to 27 days, the infected servers would launch Denial of Service (DoS) attacks on specific other servers.
      A more detailed discussion of this worm's features is available here.

    The text explains that Code Red worked by exploiting a buffer overflow vulnerability, for which a patch had been available for about a month before Code Red was found in the wild. The author observes that the Code Red authors were probably instructed about this vulnerability by the knowledge base article about the vulnerability that was published with the patch. This is not unusual. Some organizations are slow to apply security patches, which made the servers in those organizations specifically vulnerable to the new worm. Lesson: patch before you are victimized by a suddenly a new lesson for hackers. The text implies that the infected servers would have been safe with the patch. Maybe. See the next discussion.

  • SQL Slammer - SQL Slammer appeared in January of 2003 and again in 2016. The text mentions that it exploited another overflow vulnerability, this time in SQL Server and in Desktop Engine database programs. This means that is attacked servers and workstations. Once again, there was a patch available for it, but this worm was more dangerous in that it could send itself by UDP packets, which do not require a live connection to the computer that is being attacked. It also used UDP packets in large numbers during its propagation efforts, causing stress or malfunction to occur to routers, effectively staging a DoS attack on the network being infected.

  • Conficker - The discussion of Conficker in the text is a bit less enlightening than the other two discussions. It emerged in 2008, but it continues to be around. This link goes to a 2018 update about Conficker from Microsoft. Note the long list of Windows versions where it may be found. Take a look at this set of pages from Symantec about it. The Technical Description tab displays a page that is more enlightening about the worm's propagation and its behavior.

The text presents a three step process that is typically followed when any virus or worm is detected, which actually is the first step:

  • Discovery - The text points out that an attack is almost always noticed by the effects it causes. In the case of Code Red, the worm announces its presence. They aren't often that polite. It is more likely that the effects of the attacking code will be noticed by the changes made in the behavior of the workstations, servers, and/or network devices.
  • Analysis - Analysis begins with examination of the odd behavior that was noticed, then continues with determination of its causes. The text points out that frequent review of problems that have happened to other users, typically those noted on antivirus web sites, can lead to better analysis and immediate understanding of the problem.
  • Remediation - Remediation is self explanatory, but the text presents a formal method that will apply in general: contain the damage, recover the lost services (which means to patch or do what is necessary), and start using controls to prevent similar loss. Often, this means that you need to apply the patches you should have applied, but it can also mean to renew licenses, install monitoring software, or to stop using a practice that exposes you to loss.
Chapter 2

This chapter begins with two observations, that an operating system for computers is a coordinated collection of software, not just one file or program, and that a control is anything we use to address the goals of information security. So, before addressing controls for particular parts of the Windows operating system, the text reviews several important part of it, starting with the kernel.

The kernel is the name given to the most necessary part of most operating systems (e.g. Windows, Linus, Apple OS). In Windows, parts of the kernel are loaded into the working memory of any computer running it, and other parts are left in nonvolatile storage until there is a need to load them. The kernel provides basic access to hardware, calls other portions of itself (as needed) and runs other parts of the operating system, including drivers that have been installed for particular hardware. The text mentions that some operating systems use a microkernel, a smaller than usual version of the kernel, that calls more external programs than the usual kernel has to call.

Page 23 lists five major services performed by an operating system. These services may also be performed by applications for their own needs, but they belong with the operating system first.

  • program/process management - This includes allocating memory for programs, loading them and unloading them, and scheduling CPU cycles for them.
  • input and output - This handles the basic requirement to receive input for the operating system (and all programs) and to handle the various forms of output that may be needed.
  • file system - Although many systems consider objects in memory to be files, this refers to reading, writing, and organizing data on long term storage devices.
  • communication - This refers to communication that must take place between programs and with portions of the operating system, not to communication with other systems or devices.
  • error detection and alerts - This is about watching for unexpected events when programs, and the operating system, run. Errors are typically reported as screen messages to the user.

You should know that some programs rely totally on these services in the operating system, as opposed to having functions to handle these services themselves.

On page 24, the text tells us that current versions of Windows work with a microkernel that calls other parts of the OS that run in kernel mode. Aside from that distinction not being immediately explained, the text tells us that this is not usually done in other OSs that run with a microkernel. Windows does it to provide a more modular approach, allowing essential parts of the kernel to be updated without having to always update the microkernel itself.

Explaining the phrase "kernel mode", the text tells us that programs running on Windows system can run in one of two modes; Kernel mode is a mode with more privileges, and only meant to be used by OS components that are called by the kernel, which always runs in this mode. Kernel mode allows privileged access to the hardware of the computer. User mode is how most programs are meant to operate, passing their hardware requests through the kernel mode programs. This is illustrated in the figure on page 25. In the image below, from Wikipedia, a bit more detail is shown. You can click the image below to visit the Wikipedia discussion of this material, which is also more detailed.

Both images and discussions tell us that if an attacker can get his/her code to run in kernel mode, that code can do whatever the attacker wants to do with the system and its hardware.

The charts on page 26 describe the functions of two user mode components and four kernel mode components. (In the image above, you can see that each of the components covered in the text can have components of its own.) The information below is taken from the same page in Wikipedia.

Mode Component Description
User Integral subsystem The integral subsystem deals with security tokens, grants or denies access to user accounts based on resource permissions, handles login requests and initiates login authentication, and determines which system resources need to be audited by Windows.
User Environment subsystem The interface between user mode applications and operating system kernel functions is called an environment subsystem. None of the environment subsystems can directly access hardware; access to hardware functions is done by calling into kernel mode routines.
Kernel Executive The Windows Executive services make up the low-level kernel-mode portion, and are contained in the file NTOSKRNL.EXE. It deals with I/O, object management, security and process management.
Kernel Kernel mode drivers Kernel-mode device drivers enable the kernel to interact with hardware devices. All devices are seen by user mode code as a file object in the I/O manager, though to the I/O manager itself the devices are seen as device objects, which it defines as either file, device, or driver objects.
Kernel Microkernel This is the portion of the kernel that is loaded when the system boots. It calls other components when needed. It provides CPU access, process scheduling, exception handling, and more.
Kernel Hardware abstraction layer (HAL) HAL is a layer between the physical hardware of the computer and the rest of the operating system. It was designed to hide differences in hardware and provide a consistent platform on which the kernel is run. The HAL includes hardware-specific code that controls I/O interfaces, interrupt controllers and multiple processors. It is matched with the kernel itself, and must be updated if the kernel is updated.


The text moves on to discuss three important, related mechanisms. Identification takes place when a user tells a system who they are, typically by entering a recognized user ID. Authentication takes place when a user proves they are the person that a user ID stands for, typically by entering the password linked to that ID. Access control is the process of allowing or denying access to assets based on the permissions that have been granted to the ID for which the user has authenticated. Access control is done by the system. Permissions must have already been set up for the ID by someone with permission to do so, or the access control will not have any effect.

The text lists three types of authentication on page 28. They are classic methods.

  • Type I - something you know, such as a password
  • Type II - something you have, such as using an RSA token with a display that changes once a minute, and the token (code) on the display must be entered as part of your authentication
  • Type III - something you are, such as a biometric characteristic like a fingerprint or a retinal scan

The text does not mention other more recent additions to authentication methods:

  • something you do, such as moving your finger in a specific pattern on a touch screen
  • email or text code, such as changing a forgotten password for an online account, by following a link the service send you and entering a one time, short lived code
  • There are more methods listed in this article from Network World.

The text introduces the idea that access control applies to programs and processes on a system as well as to users. Whether a requester is a user or some process, that requester is called a subject by the access control system. The resource that the subject is attempting to access is called the object of the request.

The text lists three types of access control models, each of which has a different approach to using ACLs (Access Control Lists).

  • Discretionary Access Control (DAC) - Rights that are granted to a subject under this system may be granted by that subject to other subjects in the system. This means that the owner of an object can assign rights to other subjects (users) without needing the intervention of an administrator.
  • Mandatory Access Control (MAC) - In this one, there is more restriction. Objects are assigned to security classes, and subjects (users) are assigned security clearance levels. The result is that a user who has a clearance, for example, only for Confidential (and below) information cannot be assigned rights to an object classified as Secret or Top Secret.
  • Role-based Access Control (RBAC) - Roles are like groups. Users can be assigned to either and rights can be inherited from the group or role by the user. A user can be assigned to multiple roles. In this system:
    • that subjects must be assigned to roles or they will have no rights,
    • that the role a subject is assigned to must be allowed (authorized) for the subject, which is not usually done with groups,
    • and that transactions must be authorized for the role a subject is in, else the subject cannot perform them.

On page 29, the text describes using the Users and Groups utility in Computer Management, which it forgets to mention is only found in servers, not on workstations. In the illustration on page 30, you see the utility running, displaying local groups that have been defined on the system being used.

We are told (reminded?) that each local user and group has a unique Security Identifier (SID). Five objects having well known (default) SIDs are listed:

  • Null SID - a group with no members, used by default when an SID for an object is not known
  • World - a group that includes all users in a system
  • Local - a group that holds all users logged in to the system with a local terminal
  • Creator Owner ID - a placeholder that is replaced by the actual user ID of a user who creates an object
  • Creator Group ID - a placeholder that is replaced by the actual primary group of a user who creates an object (see above)

The text explains that a user's access rights will be the sum of personal rights and the rights assigned to the groups a user belongs to. The text wanders in the weeds, teaching us some Microsoft operational definitions for words that are treated as synonyms in English. Unfortunately, these words are defined by different texts and different web posters in different ways. This is what your book says:

  • rights - tasks that a user can perform on system objects are rights; example are manage and shut down
  • permissions - typically, permissions refer to rights to files and folders in a system; example permissions are read, write, execute, and delete

It is important to know that every object in a Windows environment (and in an Active Directory environment) has a property called an Access Control List, an ACL. This is a list of users and groups who have been granted or denied specific kinds of access to that object.

The text briefly discusses Workgroups, which Microsoft recommend not using if your local network has more than ten users. More useful information picks up on page 32, with the discussion of Active Directory, the database of network objects that is used in practically all Windows networks. We are warned that using Active Directory requires more processing power for the servers that maintain it. The text tells us that security is increased on systems using Active Directory due to each user ID being unique in the entire system. This is not true for old style networks that allowed each server to have its own local users, each of whom would have a different SID.

After vamping for several sentences, the text tells us on page 33 that the collection of all possible vulnerabilities that could provide unauthorized access to computer resources" is called an attack surface. Each resource can be said to have its own attack surface. As noted elsewhere, the text recommends a multilayered defense, installing more than one kind of protection for each asset. One kind of protection is to minimize the rights that are granted to users for objects in the system. The text also mentions that servers should be configured to only offer the services that are needed from them, not the full spectrum of services that a server might provide. For instance, disabling IIS on a server will prevent an attacker from running an exploit on IIS on that server. The text recommends using Server Manager to implement and run only the services that your network needs. Removing unnecessary services is a standard part of hardening a server, making it more difficult to attack.

When a service is needed, the server providing it can still be hardened in other ways. The text mentions two on page 34: removing vulnerabilities with patches and updates, and preventing attacks on existing vulnerabilities with multiple layers of controls. It should be a standard maintenance concern to do both for all appropriate devices on your network.

The text reminds us to consider security for a system at three particular times, which it refers to as milestones.

  • Installation of the operating system or applications
  • Monitoring the operation of the system
  • Making configuration changes to the system

The text admits that monitoring is not so much an event as a regular task, but checking security should be part of it.


Assignments for these chapters will be found in Canvas. We will explore that in class.